Isolating one group of computers

I have a fibre optic DSL connection and several computers on a home network. My wife is not interested in learning how not to avoid malware and principally uses an WXP Home computer, but she also does banking on her Apple Mac Mini. I would like to isolate the Mac Mini and my linux computer from the wired/wifi network that we now use. (BTW we are out in the countryside and the WiFi is unlikely to be problematic).

I was thinking about putting a D-Link DI-604 router behind one of the wired ports on the existing Zyxel P330W v2 wifi router. The idea is that wife, kids, and guests can browse, hopefully not getting infected, but in any case 'isolated' (?) from the D-Link network behind.

I can imagine the possiblity a sniffer getting installed on the Zyxel network which might then be able to monitor traffic from/to the D-Link network as it passes through the Zyxel. Would such a sniffer be able to monitor the Zyxel traffic or is the latter encrypted or otherwise unsniffable as it leaves the D-Link and passes through the Zyxel?

Alternatively, is there a way for the two routers to sit side by side and somehow share the DSL connection without being reachable by the other, say if a switch sat in front of the routers (don't know if a switch with divide traffic in this way or not)

I have a fibre optic DSL connection and several computers on a home network. My wife is not interested in learning how not to avoid malware and principally uses an WXP Home computer, but she also does banking on her Apple Mac Mini. I would like to isolate the Mac Mini and my linux computer from the wired/wifi network that we now use.

Click to expand...

So the isolation is to protect you from possible infections from her? The Mac has
a firewall too and there aren't too many direct attacks on Macs --
but yes you can isolate it from the others

I was thinking about putting a D-Link DI-604 router behind one of the wired ports on the existing Zyxel P330W v2 wifi router. The idea is that wife, kids, and guests can browse, hopefully not getting infected, but in any case 'isolated' (?) from the D-Link network behind.

I can imagine the possiblity a sniffer getting installed on the Zyxel network which might then be able to monitor traffic from/to the D-Link network as it passes through the Zyxel. Would such a sniffer be able to monitor the Zyxel traffic or is the latter encrypted or otherwise unsniffable as it leaves the D-Link and passes through the Zyxel?

Click to expand...

Yes a sniffer on the Zyxel will see ALL traffic as it is the highest level router but only see the tcp header info, not the payload of every packet due to encryption

Alternatively, is there a way for the two routers to sit side by side and somehow share the DSL connection without being reachable by the other,

Click to expand...

The secret is the Default Gateway. Unless there is a specific route to force
output to a specific subnet, all traffic flows upward thru the Default Gateway.
The Zyxel attached systems will flow ONLY up to the ISP.
The DI-604 attached devices will flow Up to the Zyxel. Any software attempting
to 'probe for other systems' could discover systems attached to it but not see them
as easily as looking for File Shares (which is the only access that could be acquired anyway).

If you FLIP the positions of the router, eg Modem--Di-604--Zyxel, then the WiFi system would never reach the Zyxel systems.

say if a switch sat in front of the routers (don't know if a switch with divide traffic in this way or not)

The Zyxel is the Wi-Fi, so it would handle guests (wireless), kids (wired and wireless) and wife (who is always wired). I will refer to this as the insecure network because of possible user behaviour.

The D-link is wired only, and because of it's age, I should ask if it needs replacing with a later router that might have better built-in security?

For clarification, I have fibre optic to my home and the incoming terminates on an exterior wall where a converter box (modem/gateway type device) which converts the optical signal to a digital signal, is installed. The digital line then comes into the house like a phone line. So I do not have a modem per se inside the house but rather now plug my router directly into a RJ45 female socket in the interior wall.

I'm unsure if I understand your guidance on use of a switch. Depending on how separate communications streams on different ports are from each other, an ideal solution for me (because I already have all three piieces of kit) is a switch plugged into the wall, with the two routers plugged into it. My linux computer and her Mac will sit behind the (wired-only) D-Link, and I think I can train her to simply unplug the insecure network router from the switch when she is doing online banking.

Very helpful although I see I have confused things.
The Zyxel is the Wi-Fi, so it would handle guests (wireless), kids (wired and wireless) and wife (who is always wired). I will refer to this as the insecure network because of possible user behaviour.

Click to expand...

more likely I did got it now

The D-link is wired only, and because of it's age, I should ask if it needs replacing with a later router that might have better built-in security?

Click to expand...

nope

For clarification, I have fibre optic to my home and the incoming terminates on an exterior wall where a converter box (modem/gateway type device) which ...

Click to expand...

That's your modem+router

I'm unsure if I understand your guidance on use of a switch. Depending on how separate communications streams on different ports are from each other, an ideal solution for me (because I already have all three piieces of kit) is a switch plugged into the wall, with the two routers plugged into it. My linux computer and her Mac will sit behind the (wired-only) D-Link, and I think I can train her to simply unplug the insecure network router from the switch when she is doing online banking.

Click to expand...

yes that would work but only if your modem+router has DHCP and would assign a unique IP address to each. You'll find out quick enough like this
1) connect the switch to the wall plate
2) connect the wired router to a switch port and one running system to the router;
test should give timing data using

3) now connect the other router to the switch (you don't need a system attached to it just yet)

Repeat the test in (2); should give same results. *IF* NOT, enter ipconfig /all
and it's likely that you have no ip address assigned -- due to IP Address Conflict.
This says the modem+router has no DHCP and therefore you can not use the switch as the first device connected to the wall plate

My linux computer and her Mac will sit behind the (wired-only) D-Link, and I think I can train her to simply unplug the insecure network router from the switch when she is doing online banking.

Click to expand...

You can but that is overkill

show her the WAN side connection to the WiFi router and disconnect it (which is still overkill)

Back to Encryption:
The WiFi router can be configured with {wep,wpa,wpa2} encryption -- the D-link wired has NONE! Therefore, the online banking relies upon https (SSL) to encrypt the data packets.

Let's investigate the ISP connection. Connect any system (with a firewall active)
directly to the wall plate. Test using (2) above to be sure you're connected.

Then use ipconfig /all >mytcp.txt and follow-up by attaching mytcp.txt

That will tell us your exposure to a sniffer upstream from your wall plate.

hmm; the ISP router is at 192.168.0.1
and your system is on the same subnet 192.168.0.*
as 192.168.0.105

This means you have no NAT isolation from any of the other 253 systems attached to 192.168.0.1

Normally we get a public address like 76.183.108.74 assigned to our first device
and the NAT creates lan addresses like 192,168,0.* and DHCP gives us the ISP gateway like 76.183.xxx.1; Any attempt to make a direct attack *must* be able to perform Nat Traversal , which is not trivial.

With your IP on the same subnet as the gateway, Nat Traversal is not required
and your Sole protection to a direct attack is your Firewall

Online Banking:
The SSL Encryption is end-to-end, ie: the bank website to your wife's Macintosh.
A sniffer on the 192.168.0.* subnet

will see every url accessed

will see every email sent

will not see SSL Encrypted data sent to the bank

btw: your PC and Linux systems are equally exposed. Your big issue is to be sure
that anytime you enter a password (eg email login) that the connection uses
TLS or SSL

I was assuming that the ip # is that of the converter box (on the outside wall of my home). If I run www.myipaddress.com, I get an ip address beginning with a 2 digit number which I have assumed is that of my ISP. Am I off base here?

BTW, for the switch test, I got a normal ping response from the first router, but when I substituted the second router, I got:

jobeard, just tried to pm you but I am a few posts shy of the 45 needed to be able to pm. If you can pm me, please send an email address to which I can send you the results of an ifconfig from my linux computer. (Too much info for a public post) Thanks.

I now realize that I was confused about your post. From memory, (notoriously unreliable) every time I run ipconfig at the office, the ip address shown is always a private address, just as in my computer at home, but the dns server (and maybe the DHCP server?) is a non-private address. In my mind, I "transposed" the ip address reference given in your comments with "dns server".

The dns server address in the previous post was "DNS Servers . . . : 192.168.0.1" and this is a private address. So what I want to understand is why in this instance is a private address showing up as the dns server address?

I was assuming that the ip # is that of the converter box (on the outside wall of my home). If I run www.myipaddress.com, I get an ip address beginning with a 2 digit number which I have assumed is that of my ISP. Am I off base here?

Click to expand...

No that is what I really expected to see from the ipconfig,
so now I'm confused as to you're wired

For a DSL Connection, we get a phone line (at the wall plate) --> (ip)modem+router
For a Cable setup, we get Coax cable -> (ip)Modem -->Router
In both cases, (ip) is a public address.

Can you report the make/model of the box that connects directly to the cable coming from the wall please.

What kind of connection is made at the wall plate (RJ45 Ethernet vs RJ323 phone cable)?

Can you get me the first four lines from (run->cmd) and enter
tracert www.google.com

So what I want to understand is why in this instance is a private address showing up as the dns server address?

Thanks for any clarification.

Click to expand...

That's easy ... the gateway address and dns address is that of the router. Basically your system makes a DNS request (on port 53) to the router, which knows enough to forward it out to the ISP -- very common setup.

great!
(1) is from your router and the ISP gateway should be at (2)-- a public address

Now then, the issue is the input to the DI-604. Where and what is the device to which it is connected at the other end?? That has to be a modem/router and that makes me question #2 and #4 entries. Whoever has access to that device has
control over your subnet.

This is a fibre optics connection. Does that matter? The forward device on the other end of my D-link ethernet cable is the converter box on the outside wall of the house. I suppose it is roughly equivalent to a modem, but in this case it converts the optical signal to digital.

You said #2 and 4 (verizon). Did you mean 2 and 3? This is my ISP of course, but what about the tracert return gives rise to alarm? Isn't this what we are supposed to see on a tracert, i.e, from the router to the ISP, and onward? I am surely missing something here.

Or was the "alarm" caused by the ipconfig results which I guess I don't understand. I think I had just assumed that ipconfig showed only stuff in the private network and that another command, such as tracert is needed to see "outside".

I have a good friend with FiOS and the connection comes into the home and connects
to a F.O. modem+router.

Let's assume that your F.O. modem+router are enclosed in a box outside the home.
That becomes the equivalent of a Cable Modem setup and comments in post 6 above do not apply.
(I have seen setups where the ISP did have multiple customers on the same subnet :bad idea: )

>> Does that matter?
Not in your case

You said #2 and 4 (verizon). Did you mean 2 and 3? This is my ISP of course, but what about the tracert return gives rise to alarm? Isn't this what we are supposed to see on a tracert, i.e, from the router to the ISP, and onward? I am surely missing something here.

Click to expand...

as you doctored the first two digits of the results for privacy, I could not verify who owned those IP addresses. #4 was verifiable.
If the ISP address really was the 192.x.x.1, then the tracert would shown a transition to a public IP. All systems on the 192.x.x.* subnet would have been an exposure to your security. That is now put to bed and NOT an issue

Or was the "alarm" caused by the ipconfig results which I guess I don't understand. I think I had just assumed that ipconfig showed only stuff in the private network and that another command, such as tracert is needed to see "outside".

Click to expand...

you have that ALL correct.

By connecting a system directly to the wall plate, I was attempting to discover what was on the network. Rather goofy that the address on that line ended in x.105, but that can be insignificant as yours appears to be.